While the master key acts like a password in the context of the Cyph UX, it is actually used as a 128-bit encryption key1 and impossible to crack via brute force attacks using any amount of computing power on Earth.

A form of augmented PAKE is used to authenticate the user with the Cyph cloud infrastructure without revealing anything about the master key to our server.

As mentioned, a symmetric encryption key is derived from the master key (via Argon2id hashing), which is then used to decrypt an encrypted payload from the server that contains a second symmetric key.

After that point, it’s pretty much exactly the same in principle as full disk encryption, with that second key being used to encrypt and decrypt all user data; the only difference is that instead of a local disk the storage medium is a remote service.

As in Cyph v1 (ephemeral chat), messages are all secured via the quantum-computing-resistant Castle encryption protocol — with the primary difference being that session state is persisted to your Cyph v2 account’s encrypted cloud storage.

1: To be a little more precise: the password itself has 128 bits of entropy. The actual output of the key derivation process is 32 bytes (256 bits) long, and password hashing adds additional hardness to a hypothetical brute force attack.